Bitcoinica Stolen From… Again

Bitcoinica has fallen far in these past four months. The margin trading service that was once hailed as a revolutionary margin trading service and a shining beacon of success in the Bitcoin economy has become a locus of scandals and thefts, as skilled online intruders continue to peck at the now defunct service’s diminishing million-dollar supply of customers’ funds and its operators continue to struggle to pay users even a 50% share of what they are owed.

Bitcoinica’s downfall started on March 1. Linode, a web hosting provider then used by Bitcoinica, Slush and the Bitcoin Faucet, was hacked by an unknown intruder, who proceeded to empty all Bitcoin wallets that were running on the service, taking 5 BTC from the Bitcoin Faucet, 3,000 BTC from Slush and 43,000 BTC, then worth about $220,000 USD, from Bitcoinica. The loss was a large one, but the site nevertheless kept running and was able to guarantee its users’ deposits.

Then, however, came a second attack. On May 11, an intruder managed to break into Bitcoinica through a compromised email account, and proceeded to lift 18500 BTC from Bitcoinica’s hot wallet. This time, the site could not keep operating, and it shut down and opened up a claims process through which users could petition for a refund on their deposits. However, the intruder also managed to delete Bitcoinica’s account registry, leaving the team in charge of the claims process no way to verify user account balances was to look through a collection of various trading records, causing the claims proceedings to slow down to a crawl.

Now, Bitcoinica has been struck yet again. On July 13, another thief withdrew the maximum possible from the MtGox account that was holding the remaining portion of Bitcoinica users’ funds, clearing out 40,000 BTC and 40,000 USD, or a net total of $350,000 USD at the time of the breach. The attack was possible because the LastPass account that was storing the passwords needed to access the MtGox account was set to the same password as the MtGox API key used by the Bitcoinica server to access funds when Bitcoinica was still running. While the original thief had the opportunity to steal these funds at any point after the breach on May 11, the opportunity became accessible to anyone a few days before this latest theft, when the Bitcoinica server’s source code was publicly released to the internet. The API key was stored in the source code, and another thief discovered that the key was also the LastPass password, and that no form of additional second-factor authentication was required to use the Last Pass account, and proceeded to log on to MtGox and withdraw the funds.

Regardless of his level of responsibility for earlier breaches that had to do with the security of Bitcoinica itself, this time Zhou Tong is clearly innocent. He writes in a thread on Hacker News on the subject: “I didn’t set the password. I didn’t have the power to change the password. I shouldn’t have access to the account. The root cause is LastPass account being stolen.” And the other parties agree; both Bitcoin Consultancy and Tihan Seale, Bitcoinica’s secretive investor, much prefer to blame each other, the core issue being who is responsible for setting the two passwords to the same value. As Bitcoin Consultancy’s Amir Taaki writes, “The breach today occurred because the password for LastPass was in fact a duplicate password which had been compromised during the hack. Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.” Tihan, on the other hand, showed himself for only the third time so far on the Bitcointalk forums and wrote :”I claim no expertise to judge the security of the master password but it was very long. Its status as a master password and its use in all respects were fully understood by the Consultancy upon acceptance. If the Consultancy deemed this password to be unfit for ongoing use, they certainly had the opportunity and the duty to change it.” This miscommunication appears to be the core of the problem, regardless of whether the greater problem was Tihan not clearly speaking or Bitcoin Consultancy not clearly listening.

As for what this means for the users, the result is that claimants will be forced to take a 30% cut on their deposits. Because of the difficulty of figuring out some users’ exact balances, the claims fund had settled on a strategy of paying claims in two stages – 50% as soon as the claim is processed, and the remainder of the claims fund proportionately to all depositors once all claims are processed. About 40% of claims have been processed so far, and, as far as can be determined for certain, so far no one has received more than 50%, so the general strategy for determining and paying claims is expected to hold even if the second round of payments will be in the form of 20% of claimants’ funds rather than the entire remaining 50%. However, the implementation of the strategy will be a problem – Amir Taaki reported in his post on the subject that “The payments process was looking good, but now Patrick [the sole individual responsible for handling claims up to now] has walked away and I’m unsure what happens next.” Meanwhile, Zhou Tong has come up with his own solution: he created his own claims processing service, voluntarily contributing 5,000 BTC out of his own profits from running and selling Bitcoinica to spread among all claims that he deemed valid. Over 80,000 BTC worth of claims were filed, and claimants received a 6.239% share of their losses. Zhou Tong emphasizes that his process was independent from Bitcoinica, and that both his claimants and those who missed the opportunity should seek their 70% payment from the official claims process as well.

Many victims of the crisis have already written off the situation as hopeless and are content to simply wait and see if they ever do get any of their money back, but others are not so willing to back down. The possibility that there will be a lawsuit against Bitcoinica is very real, and what will happen to the claims process in that case is unknown – Bitcoinica Consultancy’s Patrick Strateman, at least, believes that “if anybody decides to file a criminal complaint you will effectively guarantee that it will be months or even years before anybody sees their funds.” Whatever direction Bitcoinica Consultancy chooses to take the claims proceedings from here, one can only hope that depositors will be able to collect the remaining portion of the funds from Bitcoinica’s supply faster than the thieves will.

Vitalik Buterin is a co-founder of Bitcoin Magazine who has been involved in the Bitcoin community since 2011, and has contributed to Bitcoin both as a writer and the developer of a fork of bitcoinjs-lib, pybitcointools and multisig.info, as well as one of the developers behind Egora. Now, Vitalik's primary job is as the main developer of Ethereum, a project which intends to create a next-generation smart contract and decentralized application platform that allows people to create any kind of decentralized application on top of a blockchain that can be imagined.